Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

User journey orchestration

Authentication journeys

search

Authentication journeys

Authentication journeys include identification and authentication steps, such as providing identifiers and authentication methods. Unlike other user journeys, they don't include other kinds of steps, such as business processes.

For authentication journeys, the Access component serves as the main entry point. You configure the relying parties (RP) on the Access admin console, and the Access component is responsible for validating incoming federated login requests. After validation, Access hands over the request to the user journey orchestration module to perform the actual user authentication.

The user journey orchestration module does not manage any user data. When an authentication is successful, Access connects with an identity store and authentication backend to compile the user claims the the relying party requested. The user journey orchestration module supports only authentication where Thales hosts the user interface.

Parts of an authentication journey

To be valid, an authentication journey must provide both identification and authentication for a user.

Each journey follows a basic workflow that you can edit in the journey editor:

Authentication journey in the journey editor

Start: The Start is simply the entry point for the journey. There is nothing to configure for the journey start.

Start in a journey diagram

Identification and authentication columns

Columns in a journey diagram

The vertical columns on the journey editor provide options to fulfill both requirements in an authentication journey:

  • Identification (ID): The first column fulfills the identification requirement, where the user provides their identifier and the system performs user lookup.
  • Authentication (Authn): The second and third columns fulfill the authentication requirement, where the user provides their credential and the system validates it.

The available identification and authentication options depend on what is configured for your tenant and brand.

Identification

The identification column can include identification or identification and authentication options. The Identifier option provides only identification, while the other options provide both identification and authentication.

The following identification options are available:

  • IDP from Identity Broker: Federate with social or general identity providers (IDP) that you configured in the identity broker. You can add multiple instances of the IDP from Identity Broker for different IDPs.

  • Identifier: Prompt users to provide a unique identifier, which can be either their username, email address, or phone number. This identifier is used to look up and verify the user's account information in the system.

  • Identifier and password: Prompt the user to first provide their unique identifier, such as a username, email, or phone number, to locate their account in the system, and then provide their password to authenticate.

    This option includes both identification and authentication in one step, which means that you don't necessarily need an additional step for authentication.

  • Passkey: Generate a challenge and prompt users to provide their passkey authenticator to sign the challenge. The signed challenge is then verified. When necessary, the step also performs a user lookup to confirm the user's identity.

Authentication

The authentication columns can include multiple options.

The following authentication options are available:

  • IDP from Identity Broker based on home realm detection: Automatically detect the user's realm based on the provided identifier and forward the user to the appropriate external IDP for authentication. The realm is mapped to a specific IDP. Includes only IDPs from the Identity Broker (does not include IDPs configured in the Core).

  • IDP from Identity Broker: Federate with social or general identity providers (IDP) that you configured in the identity broker. You can add multiple instances of the IDP from Identity Broker for different IDPs.

  • Passkey: Generate a challenge and prompt users to provide their passkey authenticator to sign the challenge. The signed challenge is then verified. When necessary, the step also performs a user lookup to confirm the user's identity.

  • Password: Prompt the user to enter their password to confirm their identity. The password is verified to ensure that the user's credentials match the account information. The password step comes after the user identifier step, because the password needs to authenticate together with the username.

  • SMS OTP: Generate a unique, time-sensitive, single-use code and send it to the user's primary phone number by SMS. The user must enter this code into the login page to verify their identity and proceed. SMS OTP comes after a user identifier step, because it needs the user's account information to determine where to send the OTP code.

Groups

Groups in a user journey

In the columns, you can organize multiple options into groups. Each group creates a separate horizontal path through the authentication journey.

In the Identification column, the Identifier option is always in a separate group by itself, because it is the only identification option that does not also provide authentication. This means that a path that starts with the Identifier option must have an additional Authentication step. When you have an Identifier and you add another identification option, the system automatically creates a new group for the new identification option.

On the user login pages, the options are shown in the same order as on the the journey editor, but are separated based on the type of identifier or authenticator. This means that only the IDP from identity broker options are displayed in the groups that you create, because IDP from identity broker is the only option that can have multiples.

The following example shows how the groups on the journey editor are displayed on the user login page, where the identifiers are listed in the same order but are separated by type.

Examples of group separators Right-arrow Example login page for users

Pages

Pages in the journey editor

A page shows the selection of identification or authentication options that the user sees on a page or screen.

For the identification column, the user sees all of the options on one page. That page includes the groups and the options are listed in the same order that you see in the journey editor.

For the authentication columns, each group on a path creates a separate page for the user.

On the user login pages, each type of identification method is separated by an OR, and the groups containing the IDP from identity broker option are included in the same groups that you created on the journey editor:

Group example

Conditions

Realm can be federated condition has true and false branches

Conditions modify the authentication requirements under different contexts.

You add conditions between steps in an authentication journey. The conditions create branches on the path through a journey, where each branch has different authentication requirements or methods. A condition can also have a branch that leads to authentication failure.

Post-authentication

Post-authentication

You can add post-authentication steps to the end of journey. Post-authentication steps are non-authentication processes that are performed before the session is granted.

Logged in

The result of a successful authentication journey is that the user is logged in.

Logged in

On this page